The Office of Personnel Management (OPM) had known since 2012 about security flaws in its online submission system, roughly three years before the agency finally shut down the system to repair it.
“OPM has known about vulnerabilities in the system for years, but has not corrected them,” Michael Esser, the assistant inspector general for audits at the OPM, told a House subcommittee on Wednesday.
In late June, the OPM said it was suspending the Web-based platform, known as e-QIP, after a security review conducted in the wake of massive hacks at the agency uncovered significant defects.
The OPM data breach has likely exposed upwards of 18 million people’s sensitive information and is raising pointed questions about why the agency hasn't moved more expediently over the years to correct glaring problems with its networks.
The agency’s inspector general has said OPM officials repeatedly failed to heed its warnings, even refusing to shut down several of its weakest computer systems as recommended.
On Wednesday, Esser accused the agency of also not responding to alerts about the e-QIP system, which is used to file the background checks for security clearances.
The agency’s oversight arm detailed 18 security vulnerabilities starting in 2012, he said.
“I do not know if those vulnerabilities were related to the reason the system was shut down last week,” Esser added.
OPM Director Katherine Archuleta has maintained she always takes into account the watchdog’s recommendations. The agency kept the deficient computer systems running, she said, in order to avoid gaps in delivering employee's paychecks and benefits.
The OPM said the e-QIP system will be up and running again by sometime in late July or early August.